This brings up another ?. I think this is a good discussion, but it
appears most are doing pretty much the same thing. The other question
is local admin rights. Some software companies are still writing
software that require the user to have local admin rights for their
program to work correctly - as Scott says I've had to learn to live with
this. It amazes me that a company like Corbel, now Relius with all its
MS connections and IT niches is still doing this. Anyway it seems to me
that when Vista hits, this is going to be a huge mess.
-----Original Message-----
From: Thompson, Scott [mailto:scott.thompson@orion-sys.com]
Sent: Thursday, August 17, 2006 9:56 AM
To: focus-ms@securityfocus.com
Subject: RE: Workstation Shutdown / Logoff Policy :VSMail mx1
I have a one hour lockout on the screen saver set via global group
policy. I would like to set it for a shorter time, but I have mobile
users who give presentations and whatnot offsite. I have found that a
15 minute timout is too short, and a 1 hour - though too long for my
taste - is at least acceptable.
The last company I worked for I pushed the windows updates using daisy -
a program created in winbatch that I modified to suit my needs -
basically a WSUS server. When I inhereted this company (as director of
sysadmin :)) everyone had local admin rights. After I learned to live
with it (you have to pick your battles) I configured everyones automagic
updates via group policy to install the udpates when available, and then
pester the user to reboot (yeah, I got some complaints on that, but I
like to call it tough love). It's actually working quite well. When I
run a baseline on the network a day or two after black Tuesday it comes
back very clean.
Cheers,
Scott
-----Original Message-----
From: Jamie Fullerton [mailto:Jamie.Fullerton@ndbt.com]
Sent: Wednesday, August 16, 2006 3:19 PM
To: focus-ms@securityfocus.com
Subject: RE: Workstation Shutdown / Logoff Policy :VSMail mx1
Our current policy is that all stand-alone workstations have their
screensaver set to a 10 minute screensaver with the password required to
log back into the system. We encourage people to power off their
machines at night but we don't become the Power Gestapo in enforcing
this.
Our WSUS is configured to redeploy an update if the client is powered
down during the initial push of an update (normally an early morning
hour with little other traffic on the network).
On our Citrix clients all clients have their session terminated after
three hours of inactivity. This ensures that all clients are logged out
at the end of the business day. If for whatever reason they are not
fully logged off the servers, the Citrix servers themselves are rebooted
once a day as well.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
